ARP request spoofing

Question

I'm working on an SDN-based access/backhaul network. For some experiments I need to generate an ARP request from one of the node in my network, pretending to be another one. Essentially this ARP request will be injected into the network by the controller, but for the moment I have to test if this solution works by generating the ARP packet locally.

Let's assume a client (on which I do not have control) connected to my network has MAC AA:AA:AA:AA:AA:AA. From an interface of a node with a different MAC I want to generate an ARP request (broadcast message) that has as source MAC AA:AA:AA:AA:AA:AA (the client's one).

I would need a CLI tool that can send the crafted ARP request (a sort of arping in which I can specify the src MAC). I tried with pachETH but it needs the pcap file to work via CLI, while ETTERCAP seems to generates ARP reply but not the request. Any hint?

Answer 1

You can use scapy for this. One approach is to record one or more ARP packets first:

pk = sniff(count=1, filter="arp")
pk.summary()

And later use this to build your own ARP request:

arppk = eval(pk[0].command())

Now you can set own values in arppk:

arppk[ARP].hwsrc = 'AA:AA:AA:AA:AA:AA'

The function ls(ARP) shows you more available options.

Answer 2

I think the best option for you is to use scapy

You have also a lot of examples on the internet for generate packets. Im sure that there is other tools but scapy is the one that I use for that type of work.

Answer 3

I'd recommend to create a simple Python script using the module scapy to craft packets.

Here's an idea of the kind of syntax you need:

from scapy.all import *

mode = "who-has"
destinationMac = "FF:FF:FF:FF:FF:FF"
sourceMac = "AA:AA:AA:AA:AA:AA"
destinationIP = "192.168.x.x"
sourceIP = "192.168.x.x"

sendp(Ether(dst=destinationMac, src=sourceMac)/ARP(hwsrc=sourceMac, pdst=destinationIP, psrc=sourceIP, op=mode), verbose=0)